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METHOD FOR SECURE DISTRIBUTION AND CONFIGURATION OF 
ASYMMETRIC KEYING MATERIAL INTO SEMICONDUCTOR 

DEVICES 

5 Field 

This invention relates to the field of data security. 
Background 

In today's society, it is becoming increasingly important to transmit data 

1 0 from one location to another in a manner that is clear and unambiguous to a 
legitimate recipient, but incomprehensible to any illegitimate interlopers. 
Accordingly, in certain situations, the data is encrypted and thereafter transmitted 
to the legitimate recipient. At a later time, the legitimate recipient decrypts the 
transmitted data for use. 

15 One specific process for encrypting and decrypting data is referred to as 

"asymmetric key cryptography." For asymmetric key cryptography, each device 
is associated with unique key pair that includes a public key and a private key. A 
"public key" is used to identify a legitimate recipient of the transmitted data and 
to encrypt data intended for that recipient. Normally, a "private key" is used to 

20 decrypt the encrypted data. Thus, it is essential that the private key is loaded into 
the device in a secure manner and is held in confidence within the device. 

While asymmetric key cryptography provides a mechanism to protect the 
integrity of data transmitted between two devices, there is no mechanism to ensure 
that keying material, such as the private key, is loaded into each device in a secure 

25 manner. One problem is that the keying material usually is produced at a facility 
that is remotely located from the facility where an electronic component is 
packaged. Thus, the transmission of the keying material may be intercepted 
and/or modified during transit. This poses a security threat, especially when 
keying material is produced and scheduled for loading into millions of electronic 

30 components. 

Likewise, there is no current mechanism in place to establish a 
"configuration window," namely a limited period of validity when an electronic 
component can be configured with selected keying materials. 



042390.P7704 



- 1 - Patent Application 

Express Mail No. EL466333398US 



1 



BRIEF DESCRIPTION OF THE DRAWINGS 
The features and advantages of the present invention will become apparent 
from the following detailed description of the present invention in which: 
Figure 1 is a perspective view of an illustrative embodiment of a 
5 distribution network utilizing the present invention. 

Figure 2 is an exemplary embodiment illustrating key generation 
operations by the source. 

Figure 3 is an exemplary embodiment illustrating operations performed by 
the source of Figure 1 to produce a key bundle. 
10 Figure 4 is an exemplary embodiment illustrating operations performed by 

the source to securely provide configuration encryption keys "CEKs" to the 
second destination of Figure 1. 

Figure 5 is an exemplary embodiment illustrating operations performed by 
the source to produce BEK P2 bundles for transfer to the second destination. 
1 5 Figure 6 is an exemplary embodiment illustrating operations performed by 

the source to securely provide sort encryption keys (SEKs) to the first destination 
of Figure 1. 

Figure 7 is an exemplary embodiment illustrating operations performed by 
the source to encrypt CWIN bundles before transmission to the first destination of 
20 Figure 1 . 

Figure 8 is an exemplary embodiment illustrating operations performed by 
the source to encrypt BEK P1 before transmission to the second destination of 
Figure 1 . 

Figure 9 is an exemplary embodiment illustrating operations to securely 
25 load keying material into an electronic component. 

Figures 10 and 11 illustrate exemplary operations within a reader situated 
at the first destination. 

Figures 12 and 13 illustrate exemplary operations within a reader situated 
at the second destination. 
30 Figure 14 illustrates exemplary operations to recover and verify the 

integrity of a first part of a bundle encryption key (BEK P1 ). 

Figure 15 illustrates an exemplary operation to recover keying material 
from the key bundle. 
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DESCRIPTION 

In general, the present invention relates to a technique for securely 
transferring data from one location to another and subsequently storing the data 
within an electronic component. Herein, certain details are set forth in order to 
5 provide a thorough understanding of the present invention. It is apparent to a 
person of ordinary skill in the art, however, that the present invention may be 
practiced through many embodiments other that those illustrated. Also, well- 
known circuits are not set forth in detail in order to avoid unnecessarily obscuring 
the present invention. 

10 In the following description, certain terminology is used to describe 

features o f the present invention. For example, an "electronic component" 
includes one or more integrated circuits (ICs) having information storage 
capabilities. In one embodiment, the electronic component is a single IC 
protected by a semiconductor package, although it is contemplated that the 

15 component may be multiple ICs placed within a package, one or more non- 
packaged ICs, and the like. The information loaded into the electronic component 
may include one or more encryption/decryption keys in either symmetric or 
asymmetric form along with supporting digital certificates. 

In addition, a "link" is broadly defined as one or more information- 

20 carrying mediums (e.g., electrical wire, optical fiber, cable, bus, or air in 

combination with wireless signaling technology) to establish a communication 
pathway. This pathway is deemed "secure" when it is virtually impossible to 
modify information routed over the pathway without such modification being 
detected. The term "information" is defined as one or more bits of data, address, 

25 and/or control. A "bundle" is a collection of information that may include keying 
material. The term "combined" is generally defined that an arithmetic operation 
such as concatenation, modular addition, hashing, or another mathematical 
operation. 

With respect to cryptographic functionality, a "cryptographic operation" is 
30 an operation performed for additional security on information. These operations 
may include encryption, decryption, hash computations, and the like. "Keying 
material" includes any information needed for a specific cryptographic operation 
such as one or more of the following: (1) a key being a specific series of bits, (2) 
a key identifier, and (3) an integrity check value, 
35 A "hash operation" is a one-way conversion of information to a fixed- 

length representation referred to as a "hash value". Often, the hash value is 
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substantially less in size than the original information. It is contemplated that, in 
some cases, a 1 :1 conversion of the original information may be performed. 

In addition, asymmetric key cryptography normally utilizes a root key. A 
"root public key" is a public key at the origination of a digital certificate chain and 
5 provides a starting point for verification of subsequent digital certificates. In 
general, a "digital certificate" includes information used to authenticate a sender 
of information. For example, in accordance with CCITT Recommendation X.509: 
The Directory - Authentication Framework (1988), a digital certificate may 
include information (e.g., a key) concerning a person or entity being certified, the 

10 hash value of which is encrypted using the private key of a certification authority. 
Examples of a "certification authority" include an original equipment 
manufacturer (OEM), a software vendor, a trade association, a governmental 
entity, a bank or any other trusted business or person. A "digital certificate chain" 
includes an ordered sequence of two or more digital certificates arranged for 

15 authorization purposes as described below, where each successive certificate 
represents the issuer of the preceding certificate. 

I. GENERAL ARCHITECTURE 

Referring to Figure 1, a perspective view of an illustrative embodiment of 

20 a distribution network 100 utilizing the present invention is shown. Distribution 
network 100 comprises a source 110, a first destination 120 and a second 
destination 130. Source 110 is in communication with first destination 120 and 
second destination 130 via links 140 and 150, respectively. It is contemplated that 
source 1 10, first destination 120, and/or second destination 130 may be remotely 

25 located from each other. 

Herein, for one embodiment, source 1 10 is a system that produces keying 
material and transfers this keying material to first and second destinations 120 and 
130. The transfer may occur via links 140 and 150 as well as placement on one or 
more portable tokens 160 and 170 (e.g., any programmable data storage device 

30 such as a smart card, a magnetic-strip card, a floppy disk, a CD-ROM, and the 
like). Preferably, portable token(s) 160 and 170 are sent through an out-of-band 
information delivery mechanism (e.g., UPS®, FED EX®, mail, etc.). 

First destination 120 (e.g., a sort facility) is responsible for initial testing 
of an IC for the electronic component, loading of the IC with a first collection of 

35 keying material in a secure manner, and transferring the IC to second destination 
130. Second destination 130 (e.g., a configuration facility) is responsible for 
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configuring the electronic component by loading a second collection of keying 
material originating from source 110 into the IC. The loading of the second 
collection of keying material is based on a number of factors, including the 
presence of the first collection of material, whether the configuration is performed 
5 during an appropriate period of validity, whether the integrity of the downloaded 
information has been compromised, and the like. 

II. SECURE DELIVERY PROCESS 

Herein, Figures 2-8 illustrate an exemplary embodiment for delivering the 

10 first and second collection of keying material in a secure manner from source 110 
to first/second destinations 120 and 130 of Figure 1. 

Referring now to Figure 2, an exemplary embodiment illustrating key 
generation operations by source 1 10 is shown. Initially, a bundle encryption key 
(BEK) is produced to encrypt a second collection of keying material produced at 

1 5 the source such as a private key (PRK) and an integrity check value associated 
with the BEK (referred to as "ICV BEK ") as described in Figure 3. In one 
embodiment, a random number generator (e.g., a hardware-based random number 
generator or a software-based pseudo-random number generator) produces both a 
first part of the BEK (BEK P1 ) and a second part of the BEK (BEK P2 ) as shown in 

20 blocks 200 and 210. Acting as a symmetric key, the BEK is produced by 

performing a logical operation on both BEK P1 and BEK P2 (block 220). The logical 
operation may be an exclusive-OR (XOR) operation for example. 

Referring now to Figure 3, an exemplary embodiment illustrating 
operations performed by the source of Figure 1 to produce a key bundle (described 

25 below) is shown. A digital certificate chain 300 is provided along with a private 
key (PRK) 310 that can be used to create digital signatures for the lowest-level 
certificate of digital certificate chain 300. PRK 310 and digital certificate chain 
300 are targeted for loading into non-volatile memory within an electronic 
component at the second destination 130 of Figure 1. For this embodiment, 

30 digital certificate chain 300 includes a multi-level certificate chain (e.g., L1-L4 
certificates) for subsequent use in verifying the integrity of digital signatures 
created using PRK 310. A root certificate 301 is designated as the highest level 
(LI) certificate. It is contemplated, however, that any certificate hierarchy may be 
employed. 

35 As described in Figure 3, a representation of this collection of keying 

material 320 is encrypted using BEK 330 to produce an encrypted result 335 
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(labeled as U ENC BEK (PRKJCV BEK )" where encryption is represented as "ENC"). 
As shown, keying material 320 includes PRK 310 and ICV BEK 340. ICV BEK 340 is 
computed by performing a hash operation on PRK 310 and the contents of digital 
certificate chain 300. Encrypted result 335 accompanied by digital certificate 
5 chain 300 (collectively referred to as the "key bundle" 350) is transferred to 
second destination 130 via link 150 (see Figure 1). 

Referring now to Figure 4, an exemplary embodiment illustrating 
operations performed by the source to securely provide configuration encryption 
keys "CEKs" to the second destination of Figure 1 is shown. The CEKs are 

1 0 transferred to the second destination in CEK bundles. Each "CEK bundle" is a 
collection of a CEK, a key identifier associated with the CEK, and an integrity 
check value for both the CEK and its associated key identifier. Multiple CEK 
bundles are transferred because normal control policies at the second destination 
require at least two CEKs to be provided (e.g., a two person control policy) before 

1 5 decrypting a BEK P2 bundle (described below). 

As shown, in this embodiment, three different configuration encryption 
keys (CEK 1? CEK 2 and CEK 3 ) 400, 410, 420 are produced by a random number 
generator utilized by the source. Also, key identifiers (KID C1 , KID C2 and KID C3 ) 
430, 440, 450 that correspond to each of the CEKs 400-420 are produced. Herein, 

20 a "key identifier" is information that allows decryption hardware and/or software 
to identify which CEK is placed on a token or used to encrypt packetized 
information routed to the second destination in a BEK P2 bundle format as 
described below. 

For each corresponding CEK 400, 410 and 420, an integrity check value is 
25 produced. Each integrity check value is computed by performing a hash operation 
on a CEK and its corresponding KID. For example, the integrity check value 
associated with CEK! 400 (referred to as "ICV C1 ") 460 is computed by performing 
a hash operation on both CEK, 400 and KED C1 430. Likewise, the integrity check 
values associated with CEK 2 410 and CEK 3 420, namely ICV C2 470 and ICV C3 
30 480, are computed by performing hash operations on CEK 2 410, KID C2 440 and 
CEK 3 420, KID C3 450 respectively. 

After ICV C1 , ICV C2 and ICV C3 460, 470 and 480 have been computed, a 
plurality of CEK bundles 490-492 are produced. As previously mentioned, each 
"CEK bundle" includes a CEK and its corresponding KID and ICV values. For 
35 example, in this embodiment, a first CEK (CEK^ bundle 490 includes KID C1 430, 
CEKj 400 and ICV C1 460 while a second CEK (CEK 2 ) bundle 491 includes KID C2 
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440, CEK 2 410 and ICV C2 470. A third CEK (CEK 3 ) bundle 492 includes Kro C3 
450, CEK 3 420 and ICV C3 480. Each of these CEK bundles 490-492 is stored 
within separate portable token(s) 170 and distributed to an appropriate member or 
members at the second destination. The portable token(s) 170 are sent out-of- 
5 band (e.g., via mail, UPS®, FED EX®, etc.) as shown in Figure 1 . 

Referring now to Figure 5, an exemplary embodiment illustrating 
operations performed by the source to produce BEK P2 bundles for transfer to the 
second destination 130 is shown. In general, each "BEK P2 bundle" includes at 
least BEK P2 encrypted using any combination of CEKs. 

10 As shown, key identifiers are initially produced for identifying certain 

CEK encryption combinations. For example, as shown, a first group key 
identifier (KID C2 C3 ) 500 is produced. KID C2 C3 500 represents that information, 
including BEK P2 , is encrypted along this pathway using both CEK 2 410 and CEK 3 
420. KLD C2 C3 500 may be any chosen representation such as, for example, KID C2 

15 440 and KID C3 450 combined, alphanumeric text, a resultant value computed from 
a bitwise logical operation on KID C2 440 and KTD C3 450, and the like. Similarly, a 
second group key identifier (KID C3 C1 ) 510 represents that information is being 
encrypted, using both CEK 3 420 and CEKj 400 while a third group key identifier 
(KID C1 C2 ) 520 represents encryption using both CEKj 400 and CEK 2 410. 

20 As shown, hash operations are performed on both BEK P2 530 and each of 

the group key identifiers (KID C2 C3 500; KID C3 C1 510; KID C1 C2 520) to produce 
corresponding "group" integrity check values (ICV C2 C3 540; ICV C3 C1 550; ICV C1 C2 
560). To produce a first configuration sub-bundle 570, ICV C2 C3 540 and BEK P2 
530 are encrypted using CEK 2 410, which is represented as "E CEK2 (BEK P2 , 

25 ICV C2 C3 )'". Thereafter, first configuration sub-bundle 570 is encrypted using 
CEK 3 420 and combined with KID C2 C3 500 to produce a first BEK P2 bundle 580. 
Likewise, in order to produce a second configuration sub-bundle 571, both 
ICV C3 ,ci 550 and BEK P2 530 are encrypted using CEK 3 420, which is represented 
as "E CEK3 (BEK P2 , ICV C3 C1 )'\ Thereafter, second configuration sub-bundle 571 is 

30 encrypted using CEKj 400 and combined with KID C3 C1 510 to produce a second 
BEK P2 bundle 581. Likewise, to produce a third configuration sub-bundle 572, 
both ICV C1>C2 560 and BEK P2 530 are encrypted using CEKj 400, which is 
represented as "E CEK1 (BEK P2 , ICV C1C2 )" Thereafter, third configuration sub- 
bundle 572 is encrypted using CEK 2 410 and combined with KID C1 C2 520 to 

35 produce a third BEK P2 bundle 582. These BEK P2 bundles 580-582 are sent to 
second destination via link 150 as shown in Figure 1. 
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Referring now to Figure 6, an exemplary embodiment illustrating 
operations performed by the source to securely provide sort encryption keys 
(SEKs) to the first destination of Figure 1 is shown. The SEKs are transferred to 
the first destination in SEK bundles. Each "SEK bundle" is a collection of a 
5 unique SEK from the set of SEKs, a key identifier associated with that SEK, and 
an integrity check value of both the SEK and key identifier. Multiple SEK 
bundles are transferred because the control policies at the first destination require 
at least two SEKs to be provided (e.g., a two person control policy) before 
decrypting configuration window (CWIN) bundles. 

1 0 More specifically, a CWIN bundle including a "current SEK" (SEK SC ) and 

a "next SEK" (SEK SN ) as described in Figure 7. Herein, "SEK SC " represents a 
current period of validity and "SEK SN " represents a future period of validity. This 
"period of validity" is defined by the rate at which SEK SN is changed in 
succession. This period of validity may be periodic in nature (e.g., a set number 

15 of days, weeks or months) or random. By the use of both SEK SC and SEK SN , a 
valid window for configuration of an electronic component is established. Of 
course, when the configuration window is updated (e.g., the future period of 
validity has lapsed), SEK SN is converted to SEK SC and a new SEK SN is produced. 
This continues so that no electronic components associated with validity periods 

20 outside this configuration window may be configured at a later time. 

As shown in Figure 6, in this embodiment, three different sort encryption 
keys (SEK 1? SEK 2 and SEK 3 ) 600, 610, 620 are produced by a random number 
generator utilized by the first destination. Also, key identifiers (KID S1 , KID S2 and 
KID S3 ) 630, 640, 650 that correspond to each of the SEKs produced. These key 

25 identifiers 630, 640, 650 allow decryption hardware and/or software to identify 
which SEK is placed on a token or which SEKs are used to encrypt packetized 
information routed to the first destination. 

For each corresponding sort encryption key 600, 610 and 620, an integrity 
check value is produced. Each integrity check value is computed by performing a 

30 hash operation on a SEK and its corresponding KID. For example, the integrity 
check value for a first member (ICV S1 ) 660 is a hash value produced by 
performing a hash operation on SE^ 600 and KID S1 630. Likewise, the integrity 
check values for a second and third entries (ICV S2 and ICV S3 ) 670 and 680 are 
hash values produced by performing hash operations on SEK 2 610, KID S2 640 and 

35 SEK 3 620, KID S3 650 respectively. 
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After ICV S1 , ICV S2 and ICV S3 660, 670 and 680 have been computed, a 
plurality of SEK bundles 690-692 are produced. Each "SEK bundle" includes a 
SEK and its corresponding KID and ICV values. For example, in this 
embodiment, a first SEK (SEKj) bundle 690 includes KID S1 630, SE^ 600 and 
5 ICV S1 660 while a second SEK (SEK 2 ) bundle 691 includes KID S2 640, SEK 2 610 
and ICV S2 670. A third SEK (SEK 3 ) bundle 692 includes KID S3 650, SEK 3 620 
and ICV S3 680. Each of these SEK bundles 690-692 is placed on a portable token 
and distributed out-of-band to an appropriate member or members at the first 
destination. The portable token(s) 160 are sent out-of-band as shown in Figure 1. 
10 Referring now to Figure 7, an exemplary embodiment illustrating 

operations performed by the source to encrypt CWIN bundles before transmission 
to the first destination of Figure 1 is shown. Initially, key identifiers (KID SC , 
KID^) 700 and 710 are produced to represent a SEK SC 720 and a SEK SN 730. 
Also, group key identifiers (KID S2 S3 740, KID S3 S1 750, KID SI S2 760) are produced 

1 5 to represent the SEKs used to encrypt a combination of KID SC 700, SEK SC 720, 
KID SN 710, and SEK SN 730 (referred to as the "configuration window material" 
735) for each CWIN bundle 790-792. 

As shown, key identifiers are initially produced for identifying certain 
SEK encryption combinations. For example, as shown, a first group key identifier 

20 (KID S2 S3 ) 740 is produced. KID S2 S3 740 is configured to represent that 

information, including configuration window material 735, is encrypted using 
both SEK 2 and SEK 3 . KID S2 S3 740 may be any chosen representation such as 
KID S2 640 and KID S3 650 combined, alphanumeric text, a resultant value 
computed from a bitwise, logical operation on KID S2 640 and KID S3 650, and the 

25 like. Similarly, a second group key identifier (KID S3 S1 ) 750 is designed to 

represent that information is being encrypted using both SEK 3 620 and SEKj 600 
while a third group key identifier (KID S1 S2 ) 760 represents encryption using both 
SEKj 610 and SEK 2 620. 

As shown, hash operations are performed on configuration window 

30 material 735 and each of the group key identifiers (KID S2 S3 740; KID S3 S , 750; 

KIDsi^ 760) to produce corresponding group integrity check values (ICV S2 S3 770; 
ICV S3 S1 771; ICV S1>S2 772). To produce a first sort sub-bundle 780, both ICV S2 S3 
770 and configuration window material 735 are encrypted using SEK 2 610. 
Thereafter, first sort sub-bundle 780 is encrypted using SEK 3 620 and combined 

35 with KID S2 S3 740 to produce a first CWIN bundle 790. Likewise, in order to 
produce a second sort sub-bundle 781, both ICV S3 S1 771 and configuration 
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window material 735 are encrypted using SEK 3 620. Thereafter, second sort sub- 
bundle 781 is encrypted using SEKj 600 and combined with KID S3 S1 750 to 
produce a second CWIN bundle 791 . Likewise, to produce a third sort sub-bundle 
782, both ICV S1 S2 772 and configuration window material 735 are encrypted using 
5 SEKi 600. Thereafter, third sort sub-bundle 782 is encrypted using SEK 2 610 and 
combined with KID S1 S2 760 to produce a third CWIN bundle 792. These CWIN 
bundles 790-792 are sent to the first destination via link 140. 

Referring now to Figure 8, an exemplary embodiment illustrating 
operations performed by the source to encrypt BEK P1 800 before transmission to 

10 the second destination of Figure 1 is shown. To limit the scope of key 

compromise, short periods of validity should be used for all keys. By encrypting 
BEK P1 800 with two sort encryption keys whose value changes periodically, 
namely SEK SC 720 and SEK SN 730, a valid configuration window is created for a 
given electronic component. In particular, at a predetermined or randomly chosen 

15 moment, source 1 10 replaces the value associated with SEK SC 720 with SEK SN 
730 and a new SEK SN 730 is generated. 

As shown, BEK P1 800 and KID SC 700 undergo a hash operation, which 
produces an integrity check value for the SEK SC (referred to as "ICV SC ") 810. 
Both ICV SC 810 and BEK P1 800 are encrypted using SEK SC 720 and combined 

20 with KID SC 700 to produce a first BEK P1 bundle 820. Concurrently, BEK P1 800 
and KID SN 710 undergo a hash operation, which produces an integrity check value 
for SEK SN (referred to as "ICV SN ") 830. Both ICV SN 830 and BEK P1 800 are 
encrypted using SEK SN 730 and combined with KID SN 710 to produce a second 
BEK P1 bundle 840. First and second BEK P1 bundles 820 and 840 are separately 

25 loaded within the electronic component as keying material for internal decryption 
operations (see Figure 9A and 9B). 

III. SECURE RECOVERY PROCESS 

30 A. Recovery of SEK SC and SEK SN 

This operation takes place at the first destination 120. Referring now to 
Figures 9 A, 10, and 1 1, for this illustrative example, the first and second operators 
assigned with SEK X and SEK 2 are present to facilitate recovery of SEK SC 720 and 
SEK SN 730. Upon placement of their tokens 160j and 160 2 into a sort system 900, 

35 the validity of the data in tokens I60 l and 160 2 is tested. In particular, as shown in 

Figure 10, KID Si 630 and SEK^ 600 from SEK, bundle 690 (stored in token 160,) 
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undergo a hash operation to produce a first test hash value 910. The first test hash 
value 910 is compared with ICV S1 660 that is part of SEKj bundle 690. 
Additionally, KID S2 640 and SEK 2 610 from SEK 2 bundle 691 (stored in token 
160 2 ) may undergo a hash operation to produce a second test hash value 920. 
5 Second test hash value 920 is compared with ICV S2 670 that is part of SEK 2 

bundle 691 . If matches are detected between both (i) ICV S1 660 and first test hash 
value 910 and (ii) ICV S2 670 and second test hash value 920, sort system 900 
proceeds to attempt recovery of SEK SC and SEK SN from CWIN bundles 790-792. 
Otherwise, a warning may be issued to indicate that the contents of one or both of 

1 0 the tokens are invalid. 

To recover SEK SC and SEK SN? as shown in Figure 1 1, application software 
within sort system 900 is provided with SEKj and SEK 2 (stored in the tokens) and 
determines that it can decrypt third CWIN bundle 792 after reading KID S1 S2 760. 
Third CWIN bundle 792 is decrypted (where decryption is represented as "DEC") 

15 to recover KID SC 700, SEK SC 720, KID SN 710, SEK SN 730 and ICV SUS2 760. The 
integrity of third CWIN bundle 792 is verified by performing a hash operation on 
KID S1S2 760, KID SC 700, SEK SC 720, KID SN 710 and SEK SN 730 to produce a third 
test hash value 930. Third test hash value 930 is compared to ICV SI S2 760 and if a 
match is detected, SEK SC 720 and SEK SN 730 are loaded into non-volatile memory 

20 1005 within electronic component 1000. After the loading of SEK SC 720 and 

SEK SN 730, electronic component 1000 is transferred to the second destination for 
loading of the key bundle 350 of Figure 3. 

As an alternative, it is contemplated that above-described authentication 
functions involving contents of the SEK bundles 690-692 and CWIN bundles 790- 

25 792 may be performed within the tokens 160 themselves, in lieu of the sort system 
900. 

B. Recovery of BEK P2 

This operation takes place in the second destination 130. Referring now to 

30 Figures 9B, 12 and 13, for this illustrative example, the second and third operators 
assigned with CEK 2 and CEK 3 are present to facilitate the recovery of BEK P2 . 
Upon placement of their tokens 170 2 and 170 3 into a configuration system 905, the 
validity of the data in tokens 170 2 and 170 3 is tested. In particular, as shown in 
Figure 12,. KID C2 440 and CEK 2 410 from the CEK 2 bundle 491 (stored in token 

35 170 2 ) undergo a hash operation to produce a fourth test hash value 940. Fourth 
test hash value 940 is compared with ICV C2 470. Additionally, KID C3 450 and 
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CEK 3 420 from CEK 3 bundle 492 (stored in token 170 3 ) undergo a hash operation 
to produce a fifth test hash value 950. The fifth test hash value is compared with 
ICV C3 480. If matches are detected between both (i) ICV C2 470 and the fourth test 
hash value 940 and (ii) ICV C3 480 and the fifth test hash value 950, configuration 
system 905 proceeds to attempt recovery of BEK P2 530 from BEK P2 bundles 580- 
582. Otherwise, a warning may be issued to indicate that the contents of one or 
both tokens are invalid. 

As shown in Figure 13, to recover BEK P2 530, application software within 
configuration system 905 is provided with CEK 2 and CEK 3 and identifies that it 
can decr>pt first BEK P2 bundle 580 after reading KID C2 C3 500. First BEK P2 
bundle 580 is decrypted using CEK 3 420 and CEK 2 410 to recover BEK P2 530 and 
ICV C2 C3 540. The integrity of first BEK P2 bundle 580 is verified by performing a 
hash operation on both BEK P2 530 and KID C2 C3 500 to obtain a sixth test hash 
value 960. Sixth test hash value 960 is compared to ICV C2 C3 540, which is part of 
first BEK P2 bundle 580. If a match is detected, BEK P2 530 is loaded into volatile 
memory within electronic component 1000. 

As an alternative, it is contemplated that above-described authentication 
functions involving contents of the CEK bundles 490-492 and BEK P2 bundles 
580-582 may be performed within the tokens 170 themselves, in lieu of the 
configuration system 905. 

C. Recovery of BEK P1 

Referring to Figure 9B and 14, electronic component 1000 is provided 
with BEK P1 bundles 820 and 840. As set forth in Figure 8, a first BEK P1 bundle 
820 includes KID SC 700 and a result of BEK P1 800 and ICV SC 810 encrypted using 
SEK SC 720. Second BEK P1 bundle 840 includes KID SN 710 and a result of BEK P1 
800 and ICV SN 830 encrypted using SEK SN 730. Since SEK SC 720 and SEK^ 730 
were loaded into non-volatile memory 1005 within electronic component 1000 
during the sort process, first and second BEK P1 bundles 820 and 840 can be 
decrypted to recover BEK P1 . 

In particular as shown in Figure 14, first BEK P1 bundle 820 is decrypted 
using SEK SC 720 to recover BEK P1 800 and IC V sc 8 1 0 from that bundle. The 
integrity of first BEK P1 bundle 820 can be verified by performing a hash operation 
on both KID SC and BEK P1 to produce a seventh test hash value 970 and comparing 
seventh test hash value 970 with ICV SC 810. If a match is detected, BEK P1 800 is 
verified and stored in volatile memory within electronic component 1000. If a 
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match is not detected, the second BEK P1 bundle 840 is decrypted using SEK SN 730 
to recover BEK P1 800 and ICV SN 830. The integrity of second BEK Pl bundle 840 
can be verified by performing a hash operation on both BEK P1 800 and KID SN 710. 
This produces an eighth test hash value 980. Then, eighth test hash value 980 is 
5 compared to ICV^ 830. If a match is detected, BEK P1 800 is verified and stored 
in volatile memory within electronic component 1000. 

Although not shown, it is contemplated that BEK P1 800 cannot be 
recovered if neither the SEK SC nor the SEK SN , when configuring the BEK P1 
bundles 800, is equivalent to SEK SC 720 and SEK SN 730 loaded within the 
10 material (e.g., electronic component 1000) at the first destination. This could 
prevent invalid configuration of stolen components. 

D. Recovery of BEK 

Referring still to Figure 9B, an exemplary embodiment of the recovery of 
15 BEK is shown. As described above, BEK P1 800 is accessed from internal volatile 
memory within electronic component 1000 while BEK P2 530 is loaded by 
electronic component 1000 into its volatile memory from configuration system 
905. Within electronic component 1000, a logical operation (e.g., an XOR) 1010 
is performed on both BEK P1 800 and BEK P2 530. This produces BEK 330. 

20 

E. Recovery of PRK and Digital Certificate Chain 

Referring to Figures 3, 9B, 14 and 15, an exemplary embodiment 
illustrating operations to recover PRK 310 and digital certificate chain 300 is 
shown. Key bundle 350 is loaded into electronic component 1000. Since BEK 

25 330 has been computed, it is contemplated that PRK 3 1 0 and ICV BEK 340 can be 
recovered from encrypted result 335 that is stored in key bundle 350. This allows 
the integrity of key bundle 350 to be verified by computing a hash operation of the 
recovered PRK 310 and digital certificate chain 300 that accompanies encrypted 
result 335. If the computed hash value 1050 matches ICV BEK 340, the contents of 

30 key bundle 350 are valid. Thus, PRK 3 1 0 and digital certificate chain 300 are 

stored in non- volatile memory 1005 within electronic component 1000. Once that 
is completed, SEK SC and SEK SN are erased from non-volatile memory 1005. 

While this invention has been described with reference to illustrative 
embodiments, this description is not intended to be construed in a limiting sense. 

35 Various modifications of the illustrative embodiments, as well as other 

embodiments of the invention, which are apparent to persons skilled in the art to 
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which the invention pertains are deemed to lie within the spirit and scope of the 
invention. 
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CLAIMS 

What is claimed is: 



1 LA method comprising: 

2 storing a current sort encryption key (SEK) at a first destination in an 

3 internal memory of an electronic component; 

4 storing a next SEK at the first destination in the internal memory; 

5 providing the electronic component to a second destination; and 

6 recovering a private key at the second destination from a key bundle based 

7 on the current SEK, the next SEK and a plurality of bundles received at the second 

8 destination. 

1 2. The method of claim 1 , wherein prior to storing the current SEK at 

2 the first destination, the method further comprises: 

3 transferring at least a first bundle to the first destination via a first link; and 

4 transferring at least a second bundle to the first destination via a first out- 

5 of-band information carrying mechanism. 

1 3 . The method of claim 2, wherein the first bundle includes a plurality 

2 of configuration window (CWIN) bundles. 

1 4. The method of claim 3, wherein each of the CWIN bundles 

2 includes a configuration window material, the configuration window includes (i) a 

3 first key identifier associated with the current SEK, (ii) the current SEK, (iii) a 

4 second key identifier associated with the next SEK, (iv) the next SEK and (v) a 

5 group integrity check value for a first encryption key and a second encryption key. 



1 5. The method of claim 4, wherein the configuration window material 

2 is encrypted with the first encryption key and the second encryption key. 

1 6. The method of claim 5, wherein each CWIN bundle further 

2 includes a group identifier associated with the first encryption key and the second 

3 encryption key. 
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1 7. The method of claim 3, wherein the second bundle includes a 

2 plurality of sort encryption key (SEK) bundles. 

1 8. The method of claim 7, wherein each of the SEK bundles includes 

2 (i) a sort encryption key, (ii) a key identifier associated with the sort encryption 

3 key and (iii) an integrity check value associated with the sort encryption key. 

1 9. The method of claim 2, wherein prior to storing the current SEK at 

2 the first destination, the method further comprises: 

3 transferring the plurality of bundles to the second destination, the plurality 

4 of bundles includes a third bundle and a fourth bundle. 

1 10. The method of claim 9, wherein the third bundle is transferred to 

2 the second destination via a second link. 

1 11. The method of claim 9, wherein the fourth bundle is transferred to 

2 the second destination via a second out-of-band information carrying medium. 

1 12. The method of claim 9, wherein the third bundle is a plurality of 

2 second part bundle encryption key (BEKp 2 ) bundles, each of the BEKp 2 bundles 

3 includes a second part of the bundle encryption key and a combined integrity 

4 check value associated with a first encryption key and a second encryption key. 

1 13. The method of claim 12, wherein the second part of the bundle 

2 encryption key and the combined integrity check value are encrypted with the first 

3 encryption key and the second encryption key. 

1 1 4. The method of claim 1 2, wherein each BEK P2 bundle further 

2 includes a group identifier associated with the first encryption key and the second 

3 encryption key. 
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1 15 The method of claim 9, wherein the fourth bundle includes a 

2 plurality of configuration encryption key (CEK) bundles. 

1 16. The method of claim 15, wherein each of the CEK bundles 

2 includes (i) a configuration encryption key, (ii) a key identifier associated with the 

3 configuration encryption key and (iii) an integrity check value associated with the 

4 configuration encryption key. 

1 1 7 . A method comprising: 

2 at a first destination, recovering a current sort encryption key (SEK) and a 

3 next SEK based on information within a first plurality of incoming bundles and 

4 storing the current SEK and the next SEK in an internal memory of an electronic 

5 component; and 

6 at a second destination, upon receipt of the electronic component, 

7 recovering a private key from a key bundle based on the current SEK, the next 

8 SEK and a second plurality of incoming bundles. 

1 18. The method of claim 1 7, wherein the current SEK represents a 

2 current period of validity for configuration of the electronic component. 

1 19. The method of claim 1 7, wherein the next SEK represents a next 

2 period of validity for configuration of the electronic component. 

1 20. The method of claim 1 9, wherein the private key is prevented from 

2 being recovered if the next period of validity has lapsed. 

1 21 . The method of claim 1 7, wherein the first plurality of incoming 

2 bundles includes a plurality of configuration window (CWIN) bundles. 

1 22. The method of claim 21, wherein each of the CWIN bundles 

2 includes (i) a first key identifier associated with the current SEK, (ii) the current 

3 SEK, (iii) a second key identifier associated with the next SEK, (iv) the next SEK 
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and (v) a group integrity check value for a first encryption key and a second 
encryption key. 



1 23 . The method of claim 22, wherein the first key identifier, the current 

2 SEK, the second key identifier, the next SEK and the group integrity check value 

3 are encrypted with the first encryption key and the second encryption key. 

1 24. The method of claim 23, wherein each CWDSf bundle further 

2 includes a group identifier associated with the first encryption key and the second 

3 encryption key. 

1 25 . The method of claim 1 7, wherein the first plurality of incoming 

2 bundles includes a plurality of sort encryption key (SEK) bundles. 

1 26. The method of claim 25, wherein each of the SEK bundles includes 

2 (i) a sort encryption key, (ii) a key identifier associated with the sort encryption 

3 key, (iii) am integrity check value associated with the sort encryption key. 

1 27. The method of claim 17, wherein the second plurality of bundles 

2 includes a plurality of first part bundle encryption key (BEKp 2 ) bundles and a 

3 plurality of second part bundle encryption key (BEK P2 ) bundles. 

1 28. The method of claim 27, wherein each of the BEK P2 bundles 

2 includes a second part of the bundle encryption key and a group integrity check 

3 value for a first encryption key and a second encryption key. 

1 29, The method of claim 28, wherein one of the BEK^ bundles 

2 includes a first part of the bundle encryption key and an integrity check value 

3 associated with the current SEK. 

1 30„ The method of claim 29, wherein one of the BEK^ bundles 

2 includes a first part of the bundle encryption key and an integrity check value 

3 associated with the next SEK. 
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1 31. The method of claim 30, wherein the bundle encryption key is 

2 recovered upon recovering the first and second parts of the bundle encryption key. 

1 32. The method of claim 3 1 , wherein the private key is recovered using 

2 the bundle encryption key. 

1 3 3 . A method comprising: 

2 receiving at least a first bundle via a first link; 

3 receiving at least a second bundle via a first out-of-band information 

4 carrying mechanism; 

5 recovering a current sort encryption key (SEK) and a next SEK based on 

6 information contained in the first bundle and the second bundle; and 

7 storing the current SEK and the next SEK in an internal memory of an 

8 electronic component. 

1 34. The method of claim 33, further comprising transferring the 

2 electronic component to a second destination. 

1 35. The method of claim 34 further comprising receiving at least a 

2 third bundle via a second link; 

3 receiving at least a fourth bundle via a second out-of-band information 

4 carrying medium; 

5 recovering based on information in the third bundle, fourth bundle, the 

6 current SEK and the next SEK. 

1 36. The method of claim 35 further comprising recovering a private 

2 key based on the bundle encryption key. 
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1 37. A network comprising: 

2 a source to output a first collection of encrypted keying material and a 

3 second collection of encrypted keying material; 

4 a first destination to receive the first collection of encrypted keying 

5 material, to decrypt keying material originating from the first collection of 

6 encrypted keying material for recovery of sort encryption keying material and to 

7 store the sort encryption keying material into an internal memory of an electronic 

8 component; and 

9 a second destination to receive the second collection of encrypted keying 

10 material, to decrypt keying material originating from the second collection of 

1 1 encrypted keying material for recovery of at least private key for subsequent 

12 loading in the internal memory. 

1 38. The network of claim 37, wherein the first destination is physically 

2 separated from the second destination. 

1 39. The network of claim 37, wherein the sort encryption keying 

2 material includes a current sort encryption key (SEK) and a next SEK. 

1 40. The network of claim 39, wherein the current SEK and the next 

2 SEK collectively represents a period of validity in which the electronic component 

3 must be configured. 

1 41 . The network of claim 37, wherein the second destination further 

2 recovers a digital certificate chain from the second collection of keying material 

3 and loads the digital certificate chain into the internal memory. 
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ABSTRACT 



In one embodiment, a method is described to secure transfer data from one 
location to another for storage in an electronic component. The transfer occurs 
with part of the data routed to a first destination and the remaining data routed to a 
second destination. The data routed to the first destination is for securely loading 
a current sort encrypted key (SEK) and a next SEK into memory of the electronic 
component. The data routed to the second destination includes a private key 
which is recovered using the current SEK and the next SEK. 
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